Pages

Monday, January 25, 2016

Consent and authorization under the CFAA

Posted by
Michael Risch

James Grimmelmann (Maryland) has posted Consenting to Computer Use on SSRN. It's a short, terrific essay on how we should think about solving the definition of authorized access and exceeding authorized access under the CFAA, what I've previously called a very scarystatute.

At the heart of the matter is this: how do we know when use of a publicly accessible computer is authorized or when that authorization has been exceeded? Grimmelmann suggests that we the question is not as new as it seems; rather than focusing on the behavior of the accused, we should be looking at the consent given by the computer owner. And there's plenty of law, analysis, and philosophy relating to consent. The abstract is here:

The federal Computer Fraud and Abuse Act (CFAA) makes it a crime to “access[] a computer without authorization or exceed[] authorized access.” Courts and commentators have struggled to explain what types of conduct by a computer user are “without authorization.” But this approach is backwards; authorization is not so much a question of what a computer user does, as it is a question of what a computer owner allows.

In other words, authorization under the CFAA is an issue of consent, not conduct; to understand authorization, we need to understand consent. Building on Peter Westen’s taxonomy of consent, I argue that we should distinguish between the factual question of what uses a computer owner manifests her consent to and the legal question of what uses courts will deem her to have consented to. Doing so allows to distinguish the different kinds of questions presented by different kinds of CFAA cases, and to give clearer and more precise answers to all of them. Some cases require careful fact-finding about what reasonable computer users in the defendant’s position would have known about the owner’s expressed intentions; other cases require frank policy judgments about which kinds of unwanted uses should be considered serious enough to trigger the CFAA.

On the one hand, I thought the analysis was really helpful. It separates legal from factual consent, for example. On the other hand, it does not offer an answer to the conundrum (nor does it pretend to - it is admittedly a first step): in the borderline case, how is a user to know in advance whether a particular action will be consented to?

Grimmelmann moves the ball forward by distinguishing legal consent (which can be imposed by law) even if factual consent is implicitly or explicitly lacking. But diverging views of what the law should allow (along with zealous prosecutors and no ex ante notice) still leaves the CFAA pretty scary in my view.